CVE-2025-9560 identifies a stored cross-site scripting vulnerability in the Colibri Page Builder plugin for WordPress, specifically in the colibri_newsletter shortcode. This vulnerability arises from improper neutralization of input during web page generation (CWE-79), where user-supplied attributes are not adequately sanitized or escaped before rendering. As a result, authenticated users with contributor-level access or higher can inject arbitrary JavaScript code into pages. When other users visit these pages, the malicious scripts execute in their browsers, potentially compromising session tokens, redirecting users, or performing unauthorized actions within the context of the affected site. The vulnerability affects all versions up to and including 1.0.334. The CVSS 3.1 base score of 6.4 reflects a medium severity, with an attack vector of network (remote), low attack complexity, requiring privileges (contributor or above), no user interaction, and a scope change due to the impact on other users. No public exploits are currently known, and no official patches have been released at the time of this report. The vulnerability's exploitation requires authenticated access, limiting exposure to sites with multiple contributors or editors. However, the widespread use of WordPress and the popularity of the Colibri Page Builder plugin increase the potential attack surface. The stored nature of the XSS makes it persistent and more dangerous than reflected XSS, as injected scripts remain on the server and affect all visitors to the compromised pages.

For European organizations, this vulnerability poses risks primarily to websites and web applications built on WordPress using the Colibri Page Builder plugin. Exploitation can lead to session hijacking, unauthorized actions performed on behalf of users, defacement, or distribution of malware via injected scripts. This can damage organizational reputation, lead to data breaches involving user credentials or personal data, and disrupt business operations. Organizations with multiple content contributors are at higher risk since the vulnerability requires contributor-level access. Given the extensive use of WordPress in Europe for corporate, governmental, and e-commerce sites, the impact could be significant, especially for sectors relying on web presence for customer engagement or critical services. Additionally, the scope change in the CVSS vector indicates that the vulnerability can affect users beyond the initial attacker, increasing the potential damage. The absence of known exploits suggests limited current active attacks, but the medium severity and ease of exploitation by insiders or compromised accounts warrant proactive mitigation.

European organizations should immediately audit user roles and permissions on WordPress sites using the Colibri Page Builder plugin, restricting contributor or higher privileges to trusted users only. Implement strict content review and approval workflows to detect and prevent malicious shortcode usage. Employ web application firewalls (WAFs) with rules targeting XSS payloads specific to WordPress shortcodes. Monitor logs and content changes for suspicious activity related to the colibri_newsletter shortcode. Until an official patch is released, consider disabling or removing the Colibri Page Builder plugin if feasible. Educate content contributors about the risks of injecting untrusted code or content. Use security plugins that provide input sanitization and output escaping enhancements. Regularly update WordPress core and plugins to incorporate security fixes promptly. Finally, conduct penetration testing focused on stored XSS vectors to identify any residual vulnerabilities.